mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 00:18:27 +00:00
02437a098e
Closes: #19271 Closes: #19286 Changes: - Updated the example in the schema folder readme - Updated the block scalar used in Fleet's osquery override documentation (`>-` » `|-`) and removed extra newlines - Updated the block scalar used in URLs used to create new yaml override files - Regenerated osqeury_fleet_schema.json
19 lines
No EOL
1 KiB
YAML
19 lines
No EOL
1 KiB
YAML
name: windows_eventlog
|
|
examples: |-
|
|
Tracking user account changes is a key part of both detection & incident response. This query lists all Windows Eventlogs from the Security channel with an EventID of 4720 - A user account was created. There are many other relevant EventIDs that should be monitored as well:
|
|
|
|
- [4722: Account enabled](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4722)
|
|
|
|
- [4724: Password reset](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724)
|
|
|
|
- [4728: Added to a security-enabled global group](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728)
|
|
|
|
|
|
```
|
|
SELECT datetime,computer_name,data FROM windows_eventlog WHERE eventid=4720 AND channel='Security'"
|
|
```
|
|
|
|
notes: |-
|
|
* This is not an evented table - instead, it pulls directly from the local system's existing eventlogs.
|
|
|
|
* The information returned in the `data` column will be JSON formatted, which will require additional parsing. |